\subsection{Concept}
\label{sec:design_concept}

\begin{figure}
\centering
\includegraphics[width=3in]{Images/architecture_ideal.png}
%\includegraphics[width=0.75\textwidth]{Images/architecture_ideal.png}
\caption{Architecture of an in-kernel (SELinux module) reference monitor including support for cryptographic protection}
\label{fig:architecture_ideal}
\end{figure}

As discussed above, the basic problem with name resolution is that user-space processes cannot avoid race conditions.  Therefore it is left to the kernel to enforce name resolution policy.  To implement a meaningful policy, the history of the file must be available, and again only the kernel can avoid race conditions when resolving file history.  What is needed then is a kernel-level reference monitor.  This monitor would arbitrate every access to a file and record the event of modifying a file.  Later, when the file is referenced again, this same mechanism will inspect the history of the file and report the validity of the file, based on some policy.  The integrity of this record would need to be protected in the meantime cryptographically.

Most of this functionality is already included in Linux Security Modules.  The LSM hooks constitute a reference monitor satisfying every needed aspect of the above concept except recording file history.  Therefore the most straightforward implementation of this concept is an extension to SELinux that adds the recording and cryptographic protection of file history.  Figure \ref{fig:architecture_ideal} shows the simple addition of a recording module and cryptographic pipeline to the file system.
